11 July 2009

Are policies mandatory and guidelines optional?

Although this is often expressed, I fundamentally disagree that policies are mandatory whereas guidelines are optional. This to me is a rather naïve assessment, and is distinctly unhelpful, misleading even. Let me explain.

For a start, do you truly understand the distinction between "mandatory" and "optional"? Are they really (as some claim) as different as binary and analogue? I beg to differ. In my world, they are both analogue concepts. They are both a matter of degree.

Occasionally by "mandatory" the information security manager or CISO probably does mean an absolute hard-and-fast rule with no exemptions (authorized non-compliance) or exceptions (unauthorized non-compliance) whatsoever being permitted. However this kind of binary situation tends to be rather unusual in information security. More often, "mandatory" statements are in fact very strong requirements or obligations but if there are justifiable reasons for not complying, that's probably OK provided the resulting risks are understood and are acceptable to management - an important proviso.* You may take the hard line that policies can only contain absolutely mandatory statements, in which case you will end up with an admirably succinct set of policies ... but a long list of exemptions and exceptions. This mess is not easy to read, and worse still implies that exemptions and exceptions are the norm, not the exception (if you get my drift).

Likewise, "optional" could mean 'go ahead if you feel like it, otherwise ignore this and do whatever you want' but more often means 'advisory' or 'recommended' or 'strongly recommended' or 'ignore this at your peril' with many other context-dependent interpretations. In other words, "optional" is not a specific strength of requirement but a broad range, meaning something slightly to a lot less than absolutely mandatory.

There's nothing wrong in my book with policies offering implementation guidance as well as requirements, provided the wording is such that the intention is clear either way. Words such as 'must' and 'shall' and 'will' normally mean firm requirements, whereas 'may' and 'should' and 'ought' and 'could' and 'can' normally imply some discretion. It is entirely appropriate for policies to allow management and possibly staff discretion in some circumstances, without the need always to create and seek management approval for a formal policy exemption or ending up by default with a policy exception. Furthermore, little bits of helpful advice and explanation such as examples make the requirements clearer. Flexibility in the wording and interpretation can make a policy much more readable which creates a very important benefit per se: policies that are too formalised and/or attempt to lay out explicit requirements for all possible circumstances are stilted, difficult to read and hence are mostly not read in practice. Read a typical contract or law, in detail, to see what I mean! If you really intend your information security policies to sit on a shelf collecting dust until used in anger by the lawyers, go ahead with this approach but that is not generally accepted good information security practice.

Again, if you feel that guidelines are purely advisory, then you need
to be extremely careful not to even mention any mandatory rules,
requirements, laws or other obligations unless you have very deep
pockets, since you will create a serious earning opportunity for the
lawyers. Guidelines often refer to more or less mandatory requirements from the policies and standards, offering tips or advice on how to implement them. If you view the organization's policy/standards/procedures/guidelines etc. as a classic layered triangle, the mandatory requirements are formally identified in broad terms in the upper level/s of the triangle and trickle down through the entire hierarchy, with more and more helpful explanatory advice and details being added to items at the lower levels.

Therefore many things identified in a typical guideline will in fact be considered mandatory, whereas others are merely helpful suggestions. Careful wording can or rather should make the distinction clear. Mandatory requirements or obligations are often identified by referencing applicable policy statements. In some cases, the exact wording may be formally quoted from a policy, and then "interpreted" in the guideline for one or more specific contexts.

Finally, I'll just mention that essentially the same considerations apply to standards, procedures, advisories, recommendations, briefings, acceptable use policies, terms and conditions of employment and a million other things we use at work. It's a brave or foolhardy information security manager/CISO who states categorically that particular documents are either totally mandatory or optional.

Bottom line: if you really intend to take such a clear-cut line on the differences between
policies and guidelines in terms of the mandate or obligation to comply, be aware that in so doing you will be creating
a whole new set of problems.

* Even laws work this way. The police and judicial systems have some
discretion in applying them. Some commonplace practices break the laws
and are strictly-speaking illegal, but offenders are not necessarily
prosecuted or if they are may be given nominal penalties.

Comments

Are policies mandatory and guidelines optional?

Although this is often expressed, I fundamentally disagree that policies are mandatory whereas guidelines are optional. This to me is a rather naïve assessment, and is distinctly unhelpful, misleading even. Let me explain.

For a start, do you truly understand the distinction between "mandatory" and "optional"? Are they really (as some claim) as different as binary and analogue? I beg to differ. In my world, they are both analogue concepts. They are both a matter of degree.

Occasionally by "mandatory" the information security manager or CISO probably does mean an absolute hard-and-fast rule with no exemptions (authorized non-compliance) or exceptions (unauthorized non-compliance) whatsoever being permitted. However this kind of binary situation tends to be rather unusual in information security. More often, "mandatory" statements are in fact very strong requirements or obligations but if there are justifiable reasons for not complying, that's probably OK provided the resulting risks are understood and are acceptable to management - an important proviso.* You may take the hard line that policies can only contain absolutely mandatory statements, in which case you will end up with an admirably succinct set of policies ... but a long list of exemptions and exceptions. This mess is not easy to read, and worse still implies that exemptions and exceptions are the norm, not the exception (if you get my drift).

Likewise, "optional" could mean 'go ahead if you feel like it, otherwise ignore this and do whatever you want' but more often means 'advisory' or 'recommended' or 'strongly recommended' or 'ignore this at your peril' with many other context-dependent interpretations. In other words, "optional" is not a specific strength of requirement but a broad range, meaning something slightly to a lot less than absolutely mandatory.

There's nothing wrong in my book with policies offering implementation guidance as well as requirements, provided the wording is such that the intention is clear either way. Words such as 'must' and 'shall' and 'will' normally mean firm requirements, whereas 'may' and 'should' and 'ought' and 'could' and 'can' normally imply some discretion. It is entirely appropriate for policies to allow management and possibly staff discretion in some circumstances, without the need always to create and seek management approval for a formal policy exemption or ending up by default with a policy exception. Furthermore, little bits of helpful advice and explanation such as examples make the requirements clearer. Flexibility in the wording and interpretation can make a policy much more readable which creates a very important benefit per se: policies that are too formalised and/or attempt to lay out explicit requirements for all possible circumstances are stilted, difficult to read and hence are mostly not read in practice. Read a typical contract or law, in detail, to see what I mean! If you really intend your information security policies to sit on a shelf collecting dust until used in anger by the lawyers, go ahead with this approach but that is not generally accepted good information security practice.

Again, if you feel that guidelines are purely advisory, then you need
to be extremely careful not to even mention any mandatory rules,
requirements, laws or other obligations unless you have very deep
pockets, since you will create a serious earning opportunity for the
lawyers. Guidelines often refer to more or less mandatory requirements from the policies and standards, offering tips or advice on how to implement them. If you view the organization's policy/standards/procedures/guidelines etc. as a classic layered triangle, the mandatory requirements are formally identified in broad terms in the upper level/s of the triangle and trickle down through the entire hierarchy, with more and more helpful explanatory advice and details being added to items at the lower levels.

Therefore many things identified in a typical guideline will in fact be considered mandatory, whereas others are merely helpful suggestions. Careful wording can or rather should make the distinction clear. Mandatory requirements or obligations are often identified by referencing applicable policy statements. In some cases, the exact wording may be formally quoted from a policy, and then "interpreted" in the guideline for one or more specific contexts.

Finally, I'll just mention that essentially the same considerations apply to standards, procedures, advisories, recommendations, briefings, acceptable use policies, terms and conditions of employment and a million other things we use at work. It's a brave or foolhardy information security manager/CISO who states categorically that particular documents are either totally mandatory or optional.

Bottom line: if you really intend to take such a clear-cut line on the differences between
policies and guidelines in terms of the mandate or obligation to comply, be aware that in so doing you will be creating
a whole new set of problems.

* Even laws work this way. The police and judicial systems have some
discretion in applying them. Some commonplace practices break the laws
and are strictly-speaking illegal, but offenders are not necessarily
prosecuted or if they are may be given nominal penalties.